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Introduction 


We conducted an Information Systems audit in 2005 (04SP-31) regarding the effectiveness of state policy 
for disposal of computers and removal of all electronic data. Audit results indicated electronic 
information was not being removed from all computers prior to disposal. The audit report included one 
multi-part recommendation to the Department of Administration to improve the enterprise computer 
disposal policy in effect at the time. Follow-up audit work was conducted in June 2006 and determined all 
parts of the recommendation were fully implemented. State policy was revised to require a three-pass disk 
sanitation process. In order to determine the effectiveness of the new state policy, we conducted similar 
Information Systems audit work for the current year. This memorandum summarizes the findings of our 
audit. 


Background 


The Montana Constitution identifies the right of individual privacy and prohibits violating this privacy 
without a “compelling state interest.” Through statute and policy, the state is required to protect 
individual privacy and the privacy of the information contained within Information Technology (IT) 
systems. 


To help the state comply with this requirement, the Department of Administration established statewide 
Disposal of Computers policy (ENT-SEC 141). The policy requires removal of information from 
computers no longer used for state business. The policy states all agency storage devices must be 
“sanitized,” meaning all agency data and software is removed so it cannot be recovered, or the device 
must be destroyed, ensuring protection of sensitive information. The policy also requires removal of 
software prior to disposal so the state does not violate software agreements by distributing software to 
unlicensed users. 


Audit Objectives 


We determined if agency computers had data and software removed from hard drives, prior to disposal, as 
required by state disposal of computers policy. The audit was conducted in accordance with Government 
Auditing Standards published by the United States Government Accountability Office (GAO). 
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Audit Scope and Methodology 


Certain state agencies handle greater volumes of sensitive information or have more statutory criteria 
covering information security than other agencies. We considered these agencies as having the highest 
risk of data exposure on disposed computing devices. We used these agencies to select our sample, and 
examined 19 hard drives from eight agencies. 


We acquired the hard drives from computers disposed of through the Office of Public Instruction’s (OPI) 
School Computer program. One of the eight agencies does not participate in the OPI program, so we 
acquired hard drives directly from their agency. We removed the hard drives from the computers and used 
specialized software to examine the hard drives for data files and software. Our purpose was to determine 
if all data and software had been successfully removed prior to disposal. 


Conclusion 


Based on our audit work, we conclude the hard drives in computers we examined had all data and 
software removed in compliance with state disposal of computers policy. 
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